Skip to main content

means .

Data Processing Agreement

Last updated 23 May 2026

This Data Processing Agreement (“DPA”) forms part of the service agreement between Vortx AI Private Limited (“Processor”) and the business customer (“Controller”) using the geo.qa platform. It implements the obligations of Article 28 of Regulation (EU) 2016/679 (“GDPR”) and parallel obligations under the UK GDPR and the Indian Digital Personal Data Protection Act, 2023 (“DPDPA”).

This is the standard published DPA used for self-service business customers. Enterprise customers may negotiate additional terms; contact avijeet@vortx.ai for a counter-signed version.

[ Sections ]
  1. 01Parties
  2. 02Scope and roles
  3. 03Subject matter and duration
  4. 04Processor instructions
  5. 05Confidentiality
  6. 06Security measures (Art. 32)
  7. 07Sub-processors (Art. 28(2)(4))
  8. 08Assistance with data subject rights
  9. 09Personal data breach notification
  10. 10DPIA and prior consultation assistance
  11. 11Deletion or return
  12. 12Audit and inspection
  13. 13International transfers
  14. 14Liability and indemnification
  15. 15Term and termination
  16. 16Acceptance
[ 01 ]

Parties

Processor: Vortx AI Private Limited, a company incorporated in India (CIN U72200JH2024PTC023101) with its registered office in Bengaluru, India, acting through its authorised signatory.

Controller: The legal entity that has signed up for a paid or evaluation subscription to the geo.qa service and whose representative has accepted this DPA either by clicking “I accept” in the geo.qa onboarding flow, by signing a copy of this document, or by entering into a Master Service Agreement that incorporates this DPA by reference.

[ 02 ]

Scope and roles

For all Personal Data the Controller submits to geo.qa or that geo.qa collects on the Controller’s behalf in connection with the service, the Controller is the data controller and Vortx AI Private Limited acts as the data processor under Article 4(7) and 4(8) GDPR.

For Personal Data the Processor collects independently to operate the service (account credentials of the Controller’s administrators, billing data, audit logs, security telemetry), the Processor acts as an independent controller and that processing is governed by the geo.qa Privacy Policy at geo.qa/privacy.

[ 03 ]

Subject matter and duration

Subject matter: Provision of the geo.qa geospatial AI platform, including chat assistants, document ingestion, retrieval, image analysis, alerts, and related features as described at geo.qa.

Nature and purpose: Hosting, processing, storage, transmission, retrieval, indexing, and AI-assisted analysis of Controller-supplied content for the purpose of delivering the contracted service.

Duration: The term of the underlying subscription, plus the retention period set out in section 11 below.

Categories of data subjects: The Controller’s authorised users, end-users the Controller invites to its workspace, and any individuals referenced inside content the Controller uploads.

Categories of personal data: Contact details (name, email), authentication identifiers, IP addresses, device and browser metadata, content the Controller chooses to upload (which may include free-text prompts, images, documents, geospatial coordinates), usage telemetry, and audit logs. The Controller is responsible for not uploading special categories of personal data under Article 9 GDPR unless a separate written addendum is in place.

[ 04 ]

Processor instructions

The Processor will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Indian, EU, or Member State law to which the Processor is subject. In that case, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller’s use of the service through its admin console and APIs constitutes documented instructions for the purposes of Article 28(3)(a) GDPR.

If the Processor believes that an instruction infringes the GDPR or other applicable data protection law, it will notify the Controller without undue delay.

[ 05 ]

Confidentiality

The Processor ensures that personnel authorised to process Personal Data are bound by a written or statutory duty of confidentiality. Access to production systems is limited to named engineers under role-based access control, with all access logged.

[ 06 ]

Security measures (Art. 32)

The Processor implements appropriate technical and organisational measures, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 for object storage, native PostgreSQL TDE for relational storage where supported).
  • Pseudonymisation and minimisation: opaque user IDs in logs; secret-redaction layer on the admin database explorer; IP addresses retained only for the documented retention window.
  • Strong authentication for staff (SSO with hardware MFA) and for end users (OAuth, SAML, time-bound OTP).
  • Network segmentation between the public web tier, the model-serving tier, and the relational/vector data tier.
  • Backup and disaster recovery procedures with documented Recovery Time and Recovery Point Objectives.
  • Regular vulnerability scanning, dependency-pin policy, and a quarterly internal security review.
  • Audit logging of administrative actions and security events for at least 90 days.
[ 07 ]

Sub-processors (Art. 28(2) and 28(4))

The Controller provides general authorisation for the Processor to engage sub-processors. The current list of authorised sub-processors is published at geo.qa/privacy#subprocessors.

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance by updating that page and emailing the Controller’s billing contact. The Controller may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the service for a pro-rata refund.

The Processor imposes on each sub-processor data protection obligations no less protective than those in this DPA, including the security measures described in section 6.

[ 08 ]

Assistance with data subject rights

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures in fulfilling the Controller’s obligations to respond to requests for exercising the data subject rights laid down in Chapter III GDPR.

In particular, the service provides self-service endpoints for end users to exercise their rights of access (GET /api/user/data-export) and erasure (DELETE /api/user/me). Where the Controller needs to fulfil a request on behalf of one of its end users, the admin console provides per-user export and delete actions. If those are insufficient for a specific request, the Processor will assist within ten (10) business days of a written request to avijeet@vortx.ai.

[ 09 ]

Personal data breach notification

The Processor will notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will describe, to the extent then known:

  • The nature of the breach and categories of data subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address it.
  • A point of contact for follow-up.

Initial notification will not be delayed for completeness of all details; supplementary information will be provided as soon as it becomes available.

[ 10 ]

DPIA and prior consultation assistance

Taking into account the nature of processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments under Article 35 GDPR and in any prior consultations with a supervisory authority under Article 36 GDPR.

[ 11 ]

Deletion or return

Upon termination of the underlying subscription, the Controller may, within thirty (30) days, request a final export of its data through the admin console. After that window, the Processor will delete all Personal Data processed on behalf of the Controller, including from primary databases, object storage, search indices, and backups (backups are overwritten on a rolling 30-day cycle). The Processor will provide written confirmation of deletion on request.

The Processor may retain Personal Data only to the extent required by applicable law, in which case it will continue to apply the security measures in section 6 and limit processing to what is necessary for that legal purpose.

[ 12 ]

Audit and inspection

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

The Controller may, on no less than thirty (30) days’ written notice and at its own cost, request an audit of the Processor’s processing facilities. To minimise disruption, the parties will first attempt to satisfy the audit through documentation, third-party certifications, and a written questionnaire. On-site audits are limited to once per calendar year unless a Personal Data Breach makes a second audit reasonably necessary, and must be conducted under reasonable confidentiality obligations and during business hours.

[ 13 ]

International transfers

The Processor is established in India. Where the Processor transfers Personal Data of EU/UK data subjects outside the European Economic Area or the United Kingdom (including within its own corporate group or to its sub-processors), it relies on one of the transfer mechanisms permitted under Chapter V GDPR — in practice the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and, where the receiving country is the United States, supplementary measures including EU-US Data Privacy Framework certification for sub-processors that hold it.

By signing this DPA, the Controller agrees that, where the Processor transfers data to itself in India under Article 46(2)(c) GDPR, the SCCs (Module 2) annexed to Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference, with Annex I, II, and III populated from the schedules in section 3 of this DPA and section 6 respectively.

[ 14 ]

Liability and indemnification

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the underlying service agreement, if any. In the absence of such agreement, each party’s aggregate liability is capped at the fees paid by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to liability.

Nothing in this DPA limits liability for: gross negligence, wilful misconduct, fraud, or liability that cannot be excluded under applicable law (including liability of the parties towards data subjects under Article 82 GDPR, which remains as set out in that Article).

[ 15 ]

Term and termination

This DPA takes effect on the date the Controller accepts it or signs the underlying service agreement that references it, and remains in force until all Personal Data processed under it has been deleted or returned in accordance with section 11.

In the event of any conflict between this DPA and the underlying service agreement, this DPA prevails to the extent of the conflict and only with respect to the parties’ data protection obligations.

[ 16 ]

Acceptance

The Controller accepts this DPA by any of:

  • Clicking the “I accept the Data Processing Agreement” checkbox during workspace onboarding.
  • Counter-signing a printed or PDF copy of this DPA and returning it to avijeet@vortx.ai.
  • Entering into a Master Service Agreement that incorporates this DPA by reference.

Enterprise customers requiring negotiated terms (additional sub-processor restrictions, custom retention windows, named audit firm, etc.) should contact avijeet@vortx.ai before accepting.